b'MEMORANDUM\n\nDATE:          January 14, 2002\n\nTO:            Mark Carney\n               Deputy Chief Financial Officer\n               Office of the Chief Financial Officer\n\nFROM:          Lorraine Lewis /s/\n\nSUBJECT:       FINAL AUDIT REPORT: ED\xe2\x80\x99s Implementation of FMSS Oracle Federal\n               Financials Phase II and III (Control Number A11-C0007)\n\nThis audit report presents the results of our limited scope work related to the implementation of\nthe Financial Management System Software (FMSS) Oracle Federal Financials (Oracle\nFinancials) Phases II and III. The purpose of our audit was to identify potential risk areas in the\ndevelopment and implementation of Oracle Financials. Our audit included a review of: (1)\ntesting, including interfaces and data conversion; (2) the status of the development of interfaces;\n(3) independent verification and validation (IV&V) of Oracle Financials development; (4) Oracle\nFinancials training; (5) Oracle Financials security; and (6) the status of maintenance/support\nplans for Oracle Financials.\n\nDue to the planned January 22, 2002, Oracle Financials implementation date, we performed\nlimited scope audit work from October 31 to November 30, 2001, in order to provide you\ninformation on potential risk areas before the new system is implemented. Specifically, we\nfocused our analysis on identifying risks in the development of Oracle Financials compared to\nbest practices, standards, and regulations. We generally did not attempt to quantify the effect of\nthese weaknesses or determine the underlying causes.\n\n\n                                       AUDIT RESULTS\n\nWe identified risks in several areas of Phase II and III implementation: (1) test planning\ndocumentation is incomplete; (2) testing of interfaces did not include all controls; (3) complete\nIV&V will not be performed before implementation; (4) training may not adequately prepare\nend-users; (5) user access controls do not follow security requirements; and (6) post-\nimplementation operations and maintenance plans have not been fully developed and\nimplemented. The Office of the Chief Financial Officer (OCFO) needs to address these risks to\nensure that required functions and controls will operate as intended upon implementation.\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III     Final Report                    ED/OIG A11-C0007\n\n\n\nWe also reviewed data conversion and identified that 4,250 problem items were reported. OCFO\nofficials stated that they are addressing these items. As of the end of our audit work on\nNovember 30, 2001, we had not received complete documentation on how conversion problems\nwere being addressed; thus, we cannot evaluate how problems were resolved. This issue is\nsummarized in more detail in the OTHER MATTERS section of this report.\n\nManagement Comments and OIG Response\n\nIn the Deputy Chief Financial Officer\xe2\x80\x99s (CFO) written comments to our draft report, OCFO\nofficials did not generally concur with Findings 1, 2, 4, 5, and 6. The comments did not include\na specific reference to Finding 3; however, in a subsequent electronic mail message, the OCFO\nconcurred with Finding 3 on the need to complete IV&V activities prior to system\nimplementation. The Deputy CFO also suggested wording revisions for clarification, which we\nincorporated as appropriate. We have summarized OCFO\'s comments and provided the OIG\nresponse, as appropriate, after each finding. A complete copy of OCFO\'s comments is provided\nin ATTACHMENT B.\n\n\nFinding 1: Test Planning Documentation Is Incomplete\n\nDuring our fieldwork, we identified several concerns with the OCFO\xe2\x80\x99s application and\nintegration testing of Oracle Financials Phase II and III functions required by the Joint Financial\nManagement Improvement Program (JFMIP).1 According to documentation we reviewed, we\nidentified that (1) some required functions are not included in test plans; (2) some functions were\nonly partially tested; and (3) actual testing results and supervisory reviews for many of the\nfunctions were lacking at the time of our review. Risks in these areas could affect proper\nfunctioning of required functions and controls when the system is implemented.\n\nSystem development practices require documented test plans, test scripts, and test scenarios\ndetailing how each requirement is to be tested in order to provide assurance that required\nfunctions will perform as intended. Testing staff needs to be provided detailed test scripts and\nscenarios in order to fully test each function. However, we identified several weaknesses in the\ntesting. In a review of 52 sampled JFMIP required functions (provided in ATTACHMENT A),\nwe could only determine that 7 were fully tested.\n\n\n\n\n1\n    OMB Circular A-127 Financial Management Systems (Revised July 23, 1993), section 7g states: \xe2\x80\x9cAgency financial\n     management systems shall conform to existing applicable functional requirements for the design, development, operation, and\n     maintenance of financial management systems. Functional requirements are defined in a series of publications entitled Federal\n     Financial Management Systems Requirements issued by the Joint Financial Management Improvement Program.\xe2\x80\x9d OCFO\xe2\x80\x99s\n     document, New FMS Accounting Model, February 23, 2000, documents in Section 2 Accounting Model Best Practices, the\n     need to use JFMIP financial systems requirements when testing compliance of commercial-off-the-shelf products. This\n     statement indicates OCFO\xe2\x80\x99s acknowledgement of the need to use JFMIP requirements for testing of its system.\n\n\n\n\n                                                                                                                                2\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III       Final Report                     ED/OIG A11-C0007\n\n\n\nOf the remaining functions:\n\n            \xe2\x80\xa2    9 functions2 were not referenced in test plans, test scripts, or test scenarios; thus, we\n                 could not determine if they were included in testing;\n            \xe2\x80\xa2    21 functions were only partially addressed in test planning documents; some did not\n                 have detailed test scripts for use by testers; for some functions, only certain types of\n                 transactions were tested; and some tests were performed using only valid data and did\n                 not test using invalid data; and\n            \xe2\x80\xa2    15 requirements lacked documented test results and supervisory review.\n\nWithout completed and thorough test plans, scripts, and scenarios for required functions and\ndocumented test results and supervisory review, OCFO may not have assurance that required\ntests have been satisfactorily completed and incurs a risk that required functions may not operate\ncorrectly.\n\nRecommendation:\n\n1. To ensure that functions will operate correctly and comply with JFMIP requirements, we\n   recommend that the CFO ensure that the Oracle Financials Implementation Team completes\n   and fully documents test plans, scripts, and scenarios for JFMIP requirements and ensures\n   tests have been successfully completed.\n\nManagement Comments and OIG Response\n\nThe Deputy CFO generally did not concur with this finding, explaining that applicable guidance\ndoes not require an agency to test core financial management functions not applicable to its\noperations and that some of the test plan discrepancies cited for the sampled requirements were\ncaused by functions (1) not deployed during Phases II and III, (2) not applicable to OCFO\noperations, (3) not properly mapped to test plans, or (4) being documented in test plans related to\nother Education Central Automated Processing Systems (EDCAPS) components.\n\nThe comments do not specify which of the 52 sampled requirements meet which of these\nconditions; therefore, we could not thoroughly analyze the Deputy CFO\xe2\x80\x99s statements. With\nregard to the statement that some of the JFMIP requirements relate to functions not deployed\n\n2\n    The nine functions are:\n     1. Accruals of contracts or other items that cross fiscal years.\n     2. Separately identifies amounts that would be eliminated when preparing intra-agency and interagency consolidations.\n     3. Multiple pre-final closings to accommodate incremental adjustments and closings.\n     4. Year-end rollover of appropriate system tables into the new fiscal year under the control of an authorized system\n        administrator.\n     5. Reconciliation of all open accounting period (prior month, current month, prior fiscal year, and current fiscal year) balances\n        to their respective subsidiaries through on-line queries and reports.\n     6. Designated authorities to establish and modify the level of fund control using elements of the classification structure,\n        including object class, program, organization, project, and fund.\n     7. Designated authorities to establish and modify the system\'s response (either reject transaction or provide warning) to the\n        failure of a funds availability edit for each transaction type.\n     8. Identify payees who receive 1099s, including 1099 Cs.\n     9. Comparison of the agency\'s payment schedule and disbursing office\'s accomplished payment schedule.\n\n\n\n\n                                                                                                                                    3\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\n\n\nduring Phases II and III, we note that the requirements we reviewed relate to Funds\nManagement, Purchase Orders, and Accounts Payable, which are the identified purposes of\nPhases II and III. We are, therefore, concerned about when OCFO plans to implement these\nrequirements if they were not deployed during Phases II and III.\n\nWith regard to the statement that 3 of the 52 sampled requirements are not applicable to OCFO\noperations, we reanalyzed information provided to us after the end of our fieldwork to determine\nany discrepancies between this information and the information provided in Finding 1. We\ncould not identify any mapping or explanation of which JFMIP requirements are not applicable\nto OCFO operations. The 52 sampled JFMIP requirements are identified by JFMIP as\n\xe2\x80\x9cmandatory.\xe2\x80\x9d\n\nWe are not clear as to the statement that some requirements are not properly mapped to Oracle\nFinancials test plans. OCFO\xe2\x80\x99s integration contractor, PricewaterhouseCoopers (PwC), explained\nthat there are no specific requirements documents and that contract deliverables were based on\ndiscussions and electronic mail messages regarding requirements. OCFO needs assurance that\nrequirements have been adequately tested and determined to function correctly.\n\nIn regard to the comment that some of the functions\xe2\x80\x99 test plans are related to other EDCAPS\nsystems, we did not identify references to other system test plans and did not receive\ndocumentation for these plans even though we requested all documentation related to testing of\nPhase II and III functions. Therefore, we cannot independently verify any functions that might\nhave been tested outside of the Oracle Financials specific testing environment.\n\nThe comments dated January 2, 2002, explain that some of the documentation requested was not\navailable during our fieldwork, which could account for some of the differences between our\nfindings and the comments. We recognize that testing was ongoing during our review and is still\ncontinuing. We are concerned that the comments specify that, as of January 2, 2002, Application\nand Integration test results packages have not been delivered for 6 of 30 Phase II and III test\nareas. Application and Integration testing was scheduled for completion on November 2, 2001.\nWith Oracle Financials scheduled for full implementation on January 22, 2002, and all\nApplication and Integration test results packages not yet received by January 2, we affirm our\nfinding and recommendation that the OCFO complete and fully document test plans, scripts, and\nscenarios for JFMIP requirements and ensure that tests have been successfully completed to\nverify that functions operate correctly.\n\n\nFinding 2: Testing of Interfaces Did Not Include All Controls\n\nTo ensure the integrity of system data, testing of interfaces includes testing of controls that data\nis complete and accurate and that data interface submissions are complete. OMB Circular A-127\nFinancial Management Systems (Revised July 23, 1993) section 7j states, \xe2\x80\x9cAppropriate internal\ncontrols shall be applied to all system inputs, processing, and outputs.\xe2\x80\x9d Our analysis identified\nthat testing did not include controls to ensure that duplicate information is not processed and that\ndata is being provided by an authorized source.\n\n\n\n\n                                                                                                           4\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report    ED/OIG A11-C0007\n\n\n\nWhile interface controls for data integrity may be inherent within Oracle Financials software,\ntesting procedures included reviews of those software controls related to data completion, data\naccuracy, interface completion, data from or to an authorized entity, and duplicate data\nprocessing in ED\xe2\x80\x99s interface test plans.\n\nWe reviewed the test plans that were available for 20 of the 23 interfaces. All 20 of the reviewed\nplans included controls for data accuracy and complete interface submission. However, none of\nthe 20 interfaces were tested to ensure information is provided by an authorized source, and 19\nof the 20 interfaces were not tested for adequate controls to prevent duplicate information\nprocessing. Testing for three of the interfaces, Nortridge Promissory Notes, Checkfree, and\nLockbox was still ongoing during our review.\n\nRecommendation:\n\n2. To ensure the accuracy of data within Oracle Financials and connected systems, we\n   recommend that the CFO ensure that the Oracle Financials Implementation Team fully test\n   appropriate controls for each interface.\n\nManagement Comments and OIG Response\n\nThe Deputy CFO did not concur with this finding, explaining that for interfaces, OCFO uses a\ncombination of operational controls and automated controls to ensure that the source of the data\nis authentic and that duplicate data is not introduced. The assertion that controls exist does not\nprovide assurance that these controls have been adequately tested. The OCFO comments\nprovided a sample set of references for three interfaces where the comments stated that adequate\ntesting was completed; however, the testing information that we reviewed during our audit did\nnot provide a complete description of the test purposes, making it difficult to determine that the\ntesting performed was sufficient to conclude that adequate measures are in place to avoid\nduplicate transactions. Adequate testing of interfaces must be performed; therefore, we affirm\nour finding and recommendation that OCFO fully test appropriate controls for each interface.\n\n\nFinding No. 3: Complete Independent Verification and Validation (IV&V) Will Not Be\n               Performed Before Implementation\n\nIn our report on Phase I implementation of Oracle Financials,3 we identified that the OCFO and\nits contractor had not completed minimum IV&V tasks as specified by Institute of Electrical and\nElectronic Engineers (IEEE) Standard 1012-1998, Software Verfication and Validation. We\nrecommended that the CFO direct the IV&V contractor to perform the minimum IEEE-specified\nIV&V activities for the implementation of Oracle Financials and analyze what other IV&V tasks\nneed to be performed. OCFO officials concurred with this finding and have taken some actions.\nHowever, the CFO will not have IV&V tasks completed to identify potential system risks prior\nto the implementation of Oracle Financials.\n\n\n\n3\n    ED\'s Implementation of FMSS Oracle Federal Financials Phase I, ED/OIG A11-B0003 (December 17, 2001).\n\n\n\n                                                                                                            5\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report        ED/OIG A11-C0007\n\n\n\nOCFO had utilized an IV&V contractor for Phase I of Oracle Financials but did not exercise the\noption to continue the contract. OCFO has developed a Statement of Work for Phases II and III\nIV&V activities but, as of the end of our fieldwork, had not yet awarded the contract.4 The\nIV&V Statement of Work specifies that because OCFO is in the latter stages of the\nimplementation project, the contractor shall perform pre-implementation and post-\nimplementation tasks in accordance with industry defined best practices such as standards from\nthe IEEE and Software Engineering Economics by Boehm. The pre-implementation tasks\ninclude:\n           \xe2\x80\xa2    Tracing requirements to system design or testing scenarios;\n           \xe2\x80\xa2    Acceptance and component test execution and verification;\n           \xe2\x80\xa2    Retesting code including code reviews on interfaces, enhancement scripts, and\n                customizations; and\n           \xe2\x80\xa2    Risk mitigation assessments.\nPost-implementation tasks include:\n           \xe2\x80\xa2    Working unobtrusively alongside the integrator while they conduct validation testing.\n           \xe2\x80\xa2    Independently verifying the inputs, processing, and outcomes of the testing relative to\n                the expected results.\n           \xe2\x80\xa2    Re-executing selected test scripts and/or scenarios, as deemed necessary by the\n                contractor or as directed by the Department, in order to validate and verify the initial\n                testing outcomes.\n\nIn addition, the OCFO awarded a contract in October 2001 for an Agreed-Upon-Procedures\nreview of the accounting logic within Oracle Financials. The objective of the procedures is to\nassist the CFO in obtaining assurance that, upon implementation, the accounting logic (the\nchosen debit/credit pairing assigned to each accounting event) in ED\xe2\x80\x99s financial management\nsystem will result in financial statements that accurately depict ED\xe2\x80\x99s financial condition. OCFO\nplanned for the work to be completed by December 21, 2001. OCFO officials stated these\nprocedures do not serve as independent verification and validation of the Oracle Financials\nsystem development effort and do not, nor are they intended to, include the IV&V tasks specified\nin the Statement of Work.\n\nWithout an IV&V assessment of the Oracle Financials system development, the CFO is missing\na key tool to provide assurance that the system will provide required functions.\n\nRecommendation:\n\n3. We recommend that the CFO identify the most critical IV&V tasks to be performed and see\n   that they are completed to ensure that required functions operate as needed.\n\nManagement Comments and OIG Response\n\nThe Deputy CFO did not specifically respond to this finding in his comments. However, in a\nsubsequent electronic mail message, the OCFO concurred with Finding 3.\n4\n    OCFO officials informed us that they had awarded a contract for IV&V effective December 13, 2001.\n\n\n\n                                                                                                                6\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report               ED/OIG A11-C0007\n\n\n\nFinding No. 4: Training May Not Adequately Prepare End-Users\n\nIn our prior review of Phase I "Just-in-Time Training," we identified potential Oracle Financials\nend-users in our sample who did not receive the necessary training to efficiently and effectively\nuse the system. We recognize that the Oracle Financials Training Team has taken action to\nimprove training based upon the recommendations in our Phase I report and through their own\nend-user survey work. Our review of a sample of user surveys found positive responses about\nthe training. In structured interviews with a random sample of 12 users,5 we identified issues\nsimilar to our Phase I review. These end-users explained that for the training to be more\neffective, it needs to be tailored to users\xe2\x80\x99 specific needs and levels of system access.\n\nThe Training Team is now providing training more frequently rather than on a \xe2\x80\x9cJust-in-Time\xe2\x80\x9d\nbasis, and the team is making greater effort to encourage attendance and notify users of training\nschedules. Of the 285 Phase II and III end-users that signed-in for the training, at least 193\ncompleted training evaluations. We reviewed these 193 training evaluations, provided by the\ntraining team, and noted that they reflected improvements in the training.\n\nAccording to OMB A-127, \xe2\x80\x9cAdequate training and appropriate user support shall be provided to\nthe users of the financial management systems, based on the level, responsibility and roles of\nindividual users, to enable the users of the systems at all levels to understand, operate and\nmaintain the system.\xe2\x80\x9d In interviews with a random sample of end-users and Training Team\nLiaisons, we identified that a number of concerns remain. For example, we noted that:\n\n1. End-users are still receiving \xe2\x80\x9cSuper User\xe2\x80\x9d access in their training classes, which in many\n   cases may not be similar to the access they will use in their everyday job performance.\n\n2. End-users are finding their training to be either too general or area-specific for their job\n   needs.\n\n3. System changes due to customization are affecting end-user attendance and training team\n   instruction.\n\nEven if it is explained during training that the Super User level of access may be different than in\neveryday performance, the training would be more effective if access during training was more\nsimilar to the access to be used in the end-user\xe2\x80\x99s everyday job performance. End-users also\nexpressed that they felt training was provided at too high a level, without specifying individual\njob function, and some expressed that it was too much for their needs. Additionally, we\ninterviewed 4 out of 25 Training Team Liaisons who reported difficulties in providing the\ntraining because of system changes. They described attendance issues as end-users wanting to\nattend training at a later date, after system customization is complete. Training Team Liaisons\nalso reported difficulty in keeping the training adjusted with system changes/customizations due\nto a lack of communication with the Oracle Financials Implementation Team.\n\n\n\n5\n For Phases II and III, there were a total of 395 end users identified as requiring training. We stratified the list of\nend users and randomly selected six end users from each phase.\n\n\n\n                                                                                                                          7\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report              ED/OIG A11-C0007\n\n\n\nAddressing these training concerns should help reduce the risk that potential end-users will\nexperience difficulties in using the system and performing their job functions.\n\nRecommendation:\n\n4. For the remaining "pre" and "post" implementation training, we recommend that the CFO\n   direct the Oracle Financials Implementation Team to consult more thoroughly with end-users\n   prior to the training to identify their specific training needs.\n\nManagement Comments and OIG Response\n\nThe Deputy CFO did not concur with this finding, explaining that it would be impractical for\nmanagement to create user access levels specific to a student\xe2\x80\x99s job tasks for each classroom\nparticipant. Our concern is that the Super User access in the training might not be similar to the\naccess the students will use in their everyday jobs. We recognize that, due to the number of end-\nusers needing training, it would be difficult to train at the exact level of everyday access. We\nrecommend that the OCFO conduct more thorough consultation with end-users to identify their\nspecific training needs, which would help identify groups that should be trained together due to\ntheir similar access levels bringing the training access closer to actual end-user access.\n\nThe comments indicate that OCFO is working closely with training liaisons to encourage\ntrainees to register and attend training classes. We recognized the increased effort to encourage\nattendance and notify users of training schedules in our draft report; however through interviews\nwith several Training Team Liaisons, we identified that system changes due to customization are\naffecting end-user attendance and training team instruction. More consultation with end-users\nprior to the training will help to alleviate their concerns regarding system changes and encourage\ntheir attendance. We affirm our finding and recommendation.\n\n\nFinding No. 5: User Access Controls Do Not Follow Security Requirements\n\nSome Oracle Financials users do not have restricted access to only those functions needed to\nperform individual job duties. We identified that there are an excessive number of individuals\nwith \xe2\x80\x9cGL Super User\xe2\x80\x9d account access and one user with multiple User IDs. We also identified\nthat most of the user responsibilities are different from those specified in the Accounts\nPayable/Purchase Order (AP/PO) Security Strategy Document. Without restricted access, users\ncould inadvertently or maliciously access Oracle Financials information possibly making\nunauthorized modifications to the data.\n\nWe identified 16 user IDs with \xe2\x80\x9cGL Super User\xe2\x80\x9d access. OCFO officials stated that two of the\nusers are system administrators who need Super User access to implement updates and changes.\nSuper Users have a wide range of functions and privileges, which allow them almost unrestricted\naccess to Oracle Financials information. The Federal Information System Controls Audit\nManual (FISCAM),6 section AC-2.1 states, \xe2\x80\x9cBroad or special access privileges . . . are only\n\n\n6\n    General Accounting Office, \xe2\x80\x9cFederal Information System Controls Audit Manual,\xe2\x80\x9d January 1999.\n\n\n\n                                                                                                                      8\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III       Final Report                     ED/OIG A11-C0007\n\n\n\nappropriate for a small number of users who perform system maintenance or handle emergency\nsituations.\xe2\x80\x9d\n\nTo ensure that users would not inadvertently be assigned multiple responsibilities that could\nprovide them with an inappropriate level of system access, we reviewed the Oracle Financials\nAP/PO Security Strategy Document provided by OCFO. Our review indicated that while the\nsecurity model provided in that document was sufficient to keep users from being assigned\nincompatible responsibilities, the model was not followed when actual user roles and\nresponsibilities were assigned to staff. OMB Circular A-130 states that a set of rules should be\nestablished concerning use of and behavior within the application; such rules shall clearly\ndelineate responsibilities and expected behavior of all individuals with access to the application.\nFISCAM AC-2.1 further states, \xe2\x80\x9cThe computer resource owner should identify the specific user\nor class of users that are authorized to obtain direct access to each resource for which he or she is\nresponsible.\xe2\x80\x9d7\n\nRecommendations\n\n5.1. We recommend that the CFO ensure that the Oracle Financials Implementation Team\n     determines the minimum number of users with Super User access and restricts access to\n     only those who need Super User capabilities to complete their job functions.\n\n5.2. We recommend that the CFO ensure that the Oracle Financials Implementation Team\n     makes certain that user responsibilities adequately reflect the AP/PO Security Strategy\n     Document to enforce security and access controls.\n\nManagement Comments and OIG Response\n\nThe Deputy CFO did not concur with this finding, explaining that the security requirements we\nreviewed during our audit were specific to the test environment and not the production\nenvironment. The OCFO comments specify that if the security requirements reviewed were for\nthe production environment, OCFO would agree with our finding that the controls do not follow\nthe requirements. During our audit, OCFO provided the lists, Active Users and Their Active\nResponsibilities, showing the application names and responsibilities for users of Oracle\nFinancials. These lists were represented to us as the most current information of user profiles\nalready tested.\n\nIf the requirements reviewed are solely for the test environment, we are concerned whether the\naccess control structure has been tested for the production environment. Application and\nIntegration testing was scheduled for completion by November 2, 2001, with Customer\n7\n  FISCAM AC-2.1: \xe2\x80\x9cResource owners have identified authorized users and their access authorized: The computer resource owner\nshould identify the specific user or class of users that are authorized to obtain direct access to each resource for which he or she is\nresponsible. This process can be simplified by developing standard profiles, which describe access needs for groups of users with\nsimilar duties, such as accounts payable clerks. Access authorizations should be documented on standard forms, maintained on\nfile, approved by senior managers, and securely transferred to security managers . . . Broad or special access privileges, such as\nthose associated with operating system software that allow normal controls to be overridden, are only appropriate for a small\nnumber of users who perform system maintenance or handle emergency situations. However, any such access should also be\napproved by a senior security manager, written justifications should be kept on file, and the use of highly sensitive files or access\nprivileges should be closely monitored by management.\xe2\x80\x9d\n\n\n\n                                                                                                                                     9\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\n\n\nAcceptance Testing occurring during the time of our fieldwork. We expected that the access\ncontrols testing would have occurred at this time. The security requirements for the production\nenvironment should be applied and tested on the test system before the system is placed into\nproduction to ensure controls are in place and working as needed. We affirm our finding and\nrecommendation.\n\nThe comments also state that there are not an excessive number of users with GL Super User\naccess. As stated in the report, we identified 16 users with such access, and FISCAM states that\nbroad or special access privileges are only appropriate for a small number of users. Thus, we\naffirm our finding and recommendation that the CFO ensure that the Oracle Financials\nImplementation Team limits the number of users with such access.\n\n\nFinding No. 6: Post-Implementation Operations and Maintenance Plans Have Not Been\n               Fully Developed and Implemented\n\nAt the time of our fieldwork, documentation was not available identifying procedures to be\nfollowed for the daily operations and maintenance of Oracle Financials. Basically, an\nOperations and Maintenance plan provides computer operations personnel with a description of\nthe software and necessary instructions on how to operate the software including how to\ncomplete non-routine, error, and recovery procedures. Though OCFO has indicated that time\nconstraints have not allowed focus on this area, OMB A-127 section 7i states that requirements\ndocuments shall be adequate to allow technical personnel to operate the system in an effective\nand efficient manner. In addition, National Institute of Standards and Technology Special\nPublication 800-18, Guide for Developing Security Plans for Information Technology Systems\n(December 1998), section 5.GSS.5 states that these procedures should be in place to ensure that\nmaintenance and repair activities are accomplished without adversely affecting system security.\n\nDocumentation of all aspects of computer support and operations is important to ensure\ncontinuity and consistency. Creating and documenting post-implementation procedures for\noperations and maintenance will reduce the risk for oversights in identifying recurring issues or\nassessing system performance.\n\nRecommendation:\n\n6. We recommend that the CFO ensure that the Oracle Financials Implementation Team\n   develops and implements an Operations and Maintenance plan for the Oracle Financials\n   development effort.\n\nManagement Comments and OIG Response\n\nThe Deputy CFO did not concur with this finding, explaining that the OCFO document, Oracle\nApplication 11.03 System Operating Procedures dated September 27, 2001, and other documents\nidentified procedures to be followed for daily operations and maintenance of FMSS Oracle\nFinancials. During our audit, neither OCFO officials nor PwC contractors identified the\ndocument, Oracle Application 11.03 System Operating Procedures, or the other specified\ndocuments, but they did refer to the need to develop and implement an Operations and\n\n\n                                                                                                           10\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\n\n\nMaintenance Plan. Subsequent to our review, we requested and reviewed the Oracle Application\n11.03 System Operating Procedures and identified that this is a draft document which does refer\nto a number of operations and maintenance procedures, but the document does not include other\nprocedures such as design of internal control and security procedures so that they can be\nindividually maintained, how to activate security procedures, or how to interconnect the software\nwith other related software or interfaces. These procedures are a step in the right direction, but\nwith Oracle Financials implementation scheduled for January 22, 2002, the CFO must ensure\nthat operations and maintenance documentation is finalized and complete. We affirm our finding\nand recommendation.\n\n                                                      OTHER MATTERS\n\nWith regard to data conversion, the Mock I Test Results Report identified that about 4,250\nproblem items were reported while converting nearly 20 million data items from the current\ni.e.FARS system to Oracle Financials. During our fieldwork, OCFO officials stated that they\nhave addressed the Mock I data conversion problems. As of the end of our fieldwork on\nNovember 30, 2001, we did not receive complete documentation on how conversion problems\nwere addressed; thus, we cannot evaluate how conversion problems were resolved. The OCFO\nofficials stated that they would run the Mock II conversion test to ensure that all problems have\nbeen adequately addressed and to identify any issues in previously unconverted data.\n\n                                                        BACKGROUND\n\nThe OCFO is in the process of implementing a new core financial management system to replace\nthe FMSS component of EDCAPS. OCFO is replacing the FMSS due to significant problems\nexperienced with the operation and maintenance of the legacy FMSS since its deployment in\nOctober 1997 and due to deficiencies identified by financial statement auditors. ED has selected\nOracle Financials as the replacement FMSS. The implementation of Oracle Financials and\nrelated interfaces is a large-scale system implementation effort. To minimize risks and manage\nthe complexity of such an effort, it is important that the work proceed in manageable increments.\n\nThere are four Phases in the Oracle Financials implementation effort:\n\n     \xe2\x80\xa2    Phase I: AR and GL Phase - delivers AR and collections functionality and configures\n          the Oracle Federal Financial General Ledger for subsequent phases (completed October\n          2000). Refer to OIG audit report, ED\'s Implementation of FMSS Oracle Federal\n          Financials Phase I, ED/OIG A11-B0003 issued in December 2001, for audit findings on\n          the Phase I implementation.\n     \xe2\x80\xa2    Phase II: Program System Integration Phase - delivers funds management, purchase\n          order (i.e., obligation processing), and accounts payable functionality for program area\n          funds and integrates the program systems with the new core Financial Management\n          System (Scheduled for completion January 22, 2002).\n     \xe2\x80\xa2    Phase III: Administrative System Integration Phase - delivers funds management,\n          purchase order, and accounts payable functionality for administrative funds and\n\n\n\n\n                                                                                                           11\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\n\n\n          integrates the administrative systems with the new core Financial Management System\n          (Scheduled for completion January 22, 2002).\n     \xe2\x80\xa2    Phase IV: Legacy FMSS Shutdown Phase - completes the transfer of all data and\n          reporting functions from the legacy FMSS (Scheduled for completion post-\n          implementation; a date has not been determined.)\n\nAs of December 2001, the estimated cost for developing and implementing Oracle Financials,\nincluding IV&V and the Agreed-Upon-Procedures, is $27.5 million.\n\n                               OBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe overall objective of our audit was to identify potential risk areas in the development and\nimplementation of Oracle Financials. Our audit included a review of (1) testing, including\ninterfaces and data conversion; (2) the status of the development of interfaces; (3) IV&V tasks;\n(4) Oracle Financials training; (5) Oracle Financials security; and (6) the status of\nmaintenance/support plans for Oracle Financials.\n\nThe purpose of this letter report is to bring to your attention concerns that we identified during\nour audit of the implementation of FMSS Oracle Federal Financials (Oracle Financials) Phases II\nand III. We generally based our work on the information provided to us as of November 30,\n2001. Our analysis focused on determining conditions requiring corrective action and did not\nalways identify the effect or root causes for the conditions.\n\nTo accomplish the audit objective, we reviewed planning and implementation documents\nrelevant to our reviews of the testing of Oracle Financials functions, user access security, data\nconversion, interfaces, enhancements and modifications, operations and maintenance, training,\nand independent verification and validation.\n\nAdditionally, we interviewed program managers, Oracle Financials Implementation Team\npersonnel, contractors, selected Oracle Financials end-users, and selected Oracle Financials\nTraining liaisons. We also conducted interviews with appropriate officials. For the sample of\nend-users interviewed, we stratified the list of end-users identified as needing to attend training\nand selected a random sample of 12 end-users.\n\nOur audit covered the Phase II & III implementation period. Our fieldwork was performed in\nWashington, D.C. between October 31 and November 30, 2001. Our audit was performed in\naccordance with government auditing standards appropriate to the scope of the audit described.\n\n                              STATEMENT ON MANAGEMENT CONTROLS\n\nAs part of our audit, we reviewed management controls over the implementation of Phases II and\nIII. We specifically reviewed controls over testing, the development of interfaces, IV&V tasks,\ntraining, security, and development of maintenance/support plans for Oracle Financials. We\nperformed our review, in part, to determine the nature, extent, and timing of our substantive tests\nto accomplish the audit objectives.\n\n\n\n                                                                                                           12\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\n\n\nDue to inherent limitations, a study and evaluation made for the limited purpose described above\nwould not necessarily disclose all material weaknesses in the management controls. Our\nassessment did disclose management control weaknesses that adversely affected the\nimplementation efforts. These weaknesses and their effects are fully discussed in the AUDIT\nRESULTS section of this report.\n\n                                            ADMINISTRATIVE MATTERS\n\nPlease provide us with your final response to each open recommendation within 60 days of the\ndate of this report indicating what corrective actions you have taken or plan to take and the\nrelated milestones.\n\nIn accordance with OMB Circular A-50, we will keep this audit report on the Office of Inspector\nGeneral (OIG) list of unresolved audits until all open issues have been resolved. Any reports\nunresolved after 180 days from the date of issuance will be shown as overdue in the OIG\xe2\x80\x99s\nSemiannual Report to Congress.\n\nAccordingly, please provide the Supervisor, Post Audit Group, Financial Improvement and Post\nAudit Operations, OCIO and OIG\xe2\x80\x99s Assistant Inspector General for Audit Services with\nsemiannual status reports. These reports should address promised corrective actions until all\nsuch actions have been completed or continued follow-up is unnecessary.\n\nIn accordance with the Freedom of Information Act (Public Law 90-23), reports issued by OIG\nare available, if requested, to members of the press and general public to the extent information\ncontained therein is not subject to exemptions in the Act.\n\nWe appreciate the cooperation given during the audit. If you have any questions or wish to\ndiscuss the contents of this report, please call Andrew Patchan, Jr., Senior Director, Systems\nInternal Audit Team on 202-863-9497. Please refer to the control number in all correspondence\nrelating to this report.\n\nAttachments\n\ncc:     William D. Hansen, Deputy Secretary\n        Eugene W. Hickok, Under Secretary\n        John Danielson, Chief of Staff, OS\n        John P. Higgins, Management Improvement Team\n        William Haubert, Assistant General Counsel, OGC\n        Laurie Rich, Assistant Secretary, OIIA\n        Greg Woods, Chief Operating Officer, SFA\n        James Lynch, Chief Financial Officer, SFA\n        Steve Hawald, Chief Information Officer, SFA\n        Linda Paulsen, Deputy Chief Financial Officer, SFA\n        Faye Harris, Acting Director of Internal Review Division, SFA\n\n\n\n\n                                                                                                           13\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report           ED/OIG A11-C0007\n\n\nATTACHMENT A\n\n       Results of 52 JFMIP Requirements Reviewed\n\n                 JFMIP Requirements Fully Tested                                            Section Total\n                 Warehouses and schedules payments in accordance with applicable\n             1   regulations. For example, OMB Circular A-125.\n                 Provides the capability to capture, store, and process appropriate invoice\n                 information, including: invoice number, invoice amount, obligating\n                 document references, vendor number, payee name and address, discount\n             2   terms, invoice amount, invoice date, and invoice receipt date.\n                 Records additional shipping and other charges to adjust the payment\n             3   amount, if they are authorized.\n                 Adjusts the asset or expense recorded with the liability if the authorized\n                 payment (based on the invoice) is different from the amount accrued\n                 (based upon receipt and acceptance) using contract information and any\n             4   increase is within agency tolerances.\n                 Automatically adjusts the obligation amount and edits for funds\n             5   availability to cover increases.\n                 Automatically updates the funds control and budget execution balances to\n                 reflect changes in the status of undelivered orders and expended\n             6   appropriations, as well as changes in amounts.\n             7   Provides for proper processing of payment confirmations and follow-ups.                7\n\n                 JFMIP Requirements Not Referenced in Any Document\n                 System allows for accruals of contracts or other items that cross fiscal\n             1   years.\n                 System separately identifies amounts that would be eliminated when\n             2   preparing intra-agency and interagency consolidations.\n                 Supports multiple pre-final closings to accommodate incremental\n             3   adjustments and closings.\n                 Provides for a year-end rollover of appropriate system tables into the new\n             4   fiscal year, under the control of an authorized system administrator.\n                 Provides for reconciliation of all open accounting period (prior month,\n                 current month, prior fiscal year, and current fiscal year) balances to their\n             5   respective subsidiaries through on-line queries and reports.\n                 System provides for designated authorities to establish and modify the\n                 level of fund control using elements of the classification structure,\n             6   including object class, program, organization, project, and fund.\n                 System provides for designated authorities to establish and modify the\n                 system\xe2\x80\x99s response (either reject transaction or provide warning) to the\n             7   failure of a funds availability edit for each transaction type.\n\n\n\n\n                                                                                                            A1\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report            ED/OIG A11-C0007\n\n\nATTACHMENT A\n\n               Provides the capability to identify payees who receive 1099s, including\n             8 1099Cs.\n               Comparison of the agency\xe2\x80\x99s payment schedule and disbursing office\xe2\x80\x99s\n             9 accomplished payment schedule.                                                            9\n\n                 JFMIP Requirements Partially Tested\n                 System maintains historical data to produce comparative financial reports\n             1   for management use.\n                 Prepares trial balances and other supporting information needed for\n                 external reports and financial statements, including consolidated\n             2   statements.\n                 Provides for on-line notification of funds availability prior to the\n                 distribution of lower level funding and the processing of commitment,\n             3   obligation, or expenditure transactions.\n             4   Supports the timely recording of transactions.\n                 Records the financial impact of all transactions that affect the availability\n                 of funds, such as commitments, liquidations, obligations, and\n             5   expenditures.\n                 Updates all appropriate accounts to ensure that the system always\n                 maintains and reports the current status of funds for all open accounting\n             6   periods.\n                 Adjusts available fund balances as reimbursable orders are accepted.\n                 (Note: In the case of reimbursable orders from the public, an advance\n             7   must also be received before additional funding authority is recorder).\n                 Records an accrued liability upon receipt and acceptance of goods and\n                 services and properly identifies them as capital asset, expense, prepaid\n             8   expense, or construction.\n                 Invoices are recorded through keyboard entry by a user or through an\n             9   electronic interface with vendors in an electronic commerce arrangement.\n                 Provides the capability of splitting an invoice into multiple payments on\n                 the appropriate due dates when items on the invoice have different due\n           10    dates.\n                 Records discount terms and automatically determines whether taking the\n                 discount is economically justified as defined in the Treasury Financial\n           11    Manual, Volume I, section 6-8040.\n                 Provides information about each payment to reflect the stage of the\n                 scheduling process that the payment has reached and the date each step\n                 was reached for the following processing steps: payment scheduled,\n                 schedule sent to appropriate disbursing office, and payment issued by\n           12    appropriate disbursing office.\n\n\n\n\n                                                                                                             A2\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report          ED/OIG A11-C0007\n\n\nATTACHMENT A\n\n                 Updates payment information when confirmation is received from the\n                 disbursing office, including the paid schedule number, check numbers or\n                 trace numbers, and date, amount of payment, and payment method (check\n           13    or EFT).\n                 Posts transactions to SGL in accordance with the transaction definitions\n           14    established by the core financial system management function.\n                 System will selectively generate required transactions as needed by the\n           15    year-end closing procedures.\n                 System determines funds availability on adjustments to obligations or\n           16    based on whether the funds cited are current, expired, or cancelled.\n                 Allows commitment documents to be entered into the core financial\n                 system on-line and from multiple locations, as well as through interfaces\n           17    with other systems.\n                 Maintains information needed to support Internal Revenue Service (IRS)\n                 1099 and W-2 reporting, including TIN and payee type (e.g., sole\n           18    proprietorship, partnership, and corporation).\n                 Allows multiple payment addresses and/or bank information for a single\n           19    payee.\n                 Access previously entered information and/or record additional\n                 information necessary to automatically determine the due date and\n                 amount of vendor payments in accordance with OMB Circular A-125,\n           20    based on invoices, receiving reports, and contracts or purchase orders.\n                 Establishes payables and makes payments on behalf of another agency,\n           21    citing the other agency\xe2\x80\x99s funding information.                                      21\n\n                 JFMIP Requirements Lacking Completed Test Documentation\n                 Provides the capability to process, track, and control prior fiscal year\n             1   adjustment transactions.\n             2   Edit and validation routines used for Funds Availability Editing\n             3   Checks commitment transactions against available funds.\n                 Includes adequate controls to prevent the recording of commitments that\n             4   exceed available balances\n                 Supports recording obligations or expenditures that exceed available\n                 balances and produce a report or otherwise provide a method that allows\n             5   management to review the cause of this overobligation condition.\n                 Provides the capabilities and controls for authorized users to override\n             6   funds availability edits.\n                 Provides automatic real-time notification to users of transactions failing\n                 the funds availability edit and place the rejected transactions in an error\n             7   file and/or suspense account for corrective action.\n\n\n\n\n                                                                                                           A3\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report           ED/OIG A11-C0007\n\n\nATTACHMENT A\n\n                 Checks available funds for obligating documents (including Amendments\n                 to obligating documents resulting in a change to dollar amounts or to the\n             8   classification structure.\n                 Checks available funds when the expenditure exceeds the obligating\n                 document due to quantity or price variances within tolerances, additional\n             9   shipping charges, etc.\n                 Checks available funds for commitments and obligations incurred in\n           10    support of reimbursable agreements.\n                 Maintains information related to each commitment document, including\n                 amendments. (Note: At a minimum, the system must capture requisition\n           11    number, accounting classification structures, and estimated amounts.)\n                 Provides for modifications to commitment documents, including ones\n                 that change the dollar amount or the accounting classification structure\n           12    cited.\n           13    Edit and validation routines used for Vendors.\n                 Maintains payee information that includes data to support obligation,\n           14    accounts payable, and disbursement processes.\n           15    Supports payments made to third parties that act as agents for the payee.            15\n\n\n                                                                                        TOTAL         52\n\n\n\n\n                                                                                                            A4\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\nATTACHMENT B\n\n\n\n\n                                                                                                     B1\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\nATTACHMENT B\n\n\n\n\n                                                                                                     B2\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\nATTACHMENT B\n\n\n\n\n                                                                                                     B3\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\nATTACHMENT B\n\n\n\n\n                                                                                                     B4\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\nATTACHMENT B\n\n\n\n\n                                                                                                     B5\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\nATTACHMENT B\n\n\n\n\n                                                                                                     B6\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\nATTACHMENT B\n\n\n\n\n                                                                                                     B7\n\x0cED\'s Implementation of FMSS Oracle Federal Financials Phase II and III   Final Report   ED/OIG A11-C0007\n\nATTACHMENT B\n\n\n\n\n                                                                                                     B8\n\x0c'